[dnssec-deployment] Computer Wire story on DNSSEC Deployment
David Blacka
davidb at verisignlabs.com
Thu Apr 7 20:05:13 EDT 2005
On Apr 7, 2005, at 6:59 PM, Paul Vixie wrote:
>>> I concur with Paul. This is not nearly as bad as it could have been,
>>> and is quite good in spots. If the worst thing that happens is that
>>> this article causes people to ask clarifying questions, that's a
>>> good problem to have as well.
>>
>> Oh, yes, this article was much better than, say, this one:
>>
>> http://www.enterprisenetworkingplanet.com/netsecur/article.php/3494711
>
> what's wrong with that article? it explains why dnssec won't be global
> for a while, and while it doesn't mention the opt-in problems specific
> to
> .COM, it does do a good job explaining why it's hard to sign the root
> zone.
This section sort of stood out: "Unfortunately, it relies on a
public/private key system, and that type of system typically doesn't
scale Internet-wide."
That's nice to know. I guess we should stop doing DNSSEC now, since it
won't scale.
Also nice to know that "The proposed solution to the basic key
management problem is to have Network Solutions sign everyone's public
key." I think the folks at Network Solutions are unaware of this
awesome responsibility.
There are other gems in there, too.
I guess I missed the explanation of why it's hard to sign the root.
But, I'm glad that you liked the article, Paul.
--
David Blacka <davidb at verisignlabs.com>
Sr. Engineer Verisign Applied Research
More information about the Dnssec-deployment
mailing list